403: Invalid secret after working fine for a month

For some reason, every time I now try to login to the web front end I get 403: Invalid secret. Nothing has changed as far as I can tell in my setup, and on another computer where I was already logged (and not logged out as I don’t have a web timeout in my settings) everything seems fine. Not only can I not login, no clients can login to portal either. How can I fix this please?

So far I have tried running php artisan optimize as suggested elsewhere but nothing. The other thing I did on the machine where I still was logged in was to update to latest .40 version (from .33 I believe), but that also made no difference.

Now I tried entering the value of API_SECRET from my .env file, but then the form tells me “Password must contain an upper case character and a number” for some reason (maybe it wants this mysterious one time password that I can’t find anywhere???)


@david do you have any thoughts?

Still on the road to trying to get this to work, I just ran:
php7.4 artisan optimize
php7.4 artisan config:cache and
php7.4 artisan config:clear and

still no love, same exact errors. I don’t understand why this is so brittle. It was working for several weeks without any problem, and then suddenly no login.

Well, this is progress I guess: I commented out the API_SECRET line in my .env file, and then ran php7.4 artisan optimize and now at least I can login. But I thought the whole point of that line was to protect self hosters from random API users/hackers? Is there some other way to better secure my site or restore this protection? Thanks.

From the docs:


As an additional layer of security for self hosters, this prevents randoms from registering / probing your API

Does changing the secret value help?

no, I just tried giving API_SECRET a new value and uncommenting it, and the same 403 error returns.

Is there some format to API_SECRET value that must be respected? No special characters? No numbers? not inside quotes?

in any event, I think I have tried all combos, same thing. the presence of any value for this inside .env file causes this 403 invalid secret error.

To clarify, are you also setting the value in the secret field in the login form?

I am not sure what you mean. If you mean did I try filling in that field in the form when logging in with the value set in the API_SECRET var of the .env file, yes. I tried with it, without it, no difference except in the error message I described above.


I can recreate this, it looks like the AP has validation requirements on the secret field

Thanks, I’ll correct it

Thanks! Just curious, was this introduced in a recent version? Perhaps I only saw it after setup because of an update? And once fixed, I should be able to replace the value in the .env file and still login (as well as clients will be able to login)?

I don’t think so, we haven’t touched this code in quite a while.